6361 Commits

Author	SHA1	Message	Date
Florian Roth	4ab3ebf6b2	Merge pull request #2128 from OTRF/feature/Susp-ADFS-NamedPipe ... Detect suspicious named pipe connections to an AD FS WID	2021-10-09 16:47:25 +02:00
Florian Roth	2379907f26	docs: extended the description by a word	2021-10-09 16:42:42 +02:00
Florian Roth	f475b90ee3	fix: typo in description	2021-10-09 16:41:48 +02:00
frack113	5c68c42058	order powershell_script	2021-10-09 10:30:36 +02:00
Florian Roth	6c4e24d0de	rule: coin miner param --cpu-priority	2021-10-09 10:28:16 +02:00
frack113	77749510b7	fix yml	2021-10-09 10:01:40 +02:00
frack113	41d098b253	fix yml error	2021-10-09 09:59:21 +02:00
frack113	9b0f744f75	order powershell_script	2021-10-09 09:57:45 +02:00
frack113	fe7fbfd5fc	order powershell_module	2021-10-09 09:50:49 +02:00
Florian Roth	5b49b5ee17	Merge pull request #2130 from phantinuss/master ... fix: prevent FP triggering of other sources utilising ID 1102	2021-10-08 20:14:08 +02:00
phantinuss	04c37d977b	fix: prevent FP triggering of other sources utilising ID 1102	2021-10-08 16:43:14 +02:00
frack113	98b24d30ae	Merge pull request #2125 from frack113/nuclei_iis_fuzzing ... Nuclei iis fuzzing	2021-10-08 16:40:01 +02:00
Bhabesh Rai	a45e516f99	Added rule for possible persistence via VMTools	2021-10-08 13:28:35 +05:45
Roberto Rodriguez	7f17eaeb87	added rule to detect suspicious named pipe connections to an AD FS server	2021-10-08 01:57:22 -04:00
Mika Luhta	e70d17745e	Update modified field	2021-10-07 18:42:22 +02:00
Mika Luhta	0ee777e3b4	Fix rule detection logic ... Changed ParentImage to Image	2021-10-07 14:25:18 +03:00
frack113	0d04b469f7	order powershell_classic	2021-10-07 07:40:53 +02:00
frack113	930d2d4223	fix id	2021-10-06 17:53:16 +02:00
frack113	dfd316c0ce	Add web_iis_tilt_shortname_scan.yml	2021-10-06 17:46:15 +02:00
frack113	6d56e400d2	Merge pull request #2121 from frack113/update_test ... Update test adding logsource to duplicate logic test	2021-10-06 14:46:48 +02:00
Florian Roth	7cf01c2f0c	extended CVE-2021-41773 rule	2021-10-06 12:43:10 +02:00
Florian Roth	539756c884	Merge pull request #2124 from SigmaHQ/rule-devel ... rule: Apache Path Traversal - CVE-2021-41773	2021-10-06 10:55:26 +02:00
frack113	d0561d361b	Merge pull request #2123 from rachelrice/update_aws_rules ... Update AWS SAML and Lambda rules	2021-10-05 19:49:54 +02:00
Rachel Rice	d9e5da6c86	Use startswith for eventName selection ... Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2021-10-05 17:52:52 +01:00
Florian Roth	5576f50470	fix: title, add my name	2021-10-05 17:35:09 +02:00
Florian Roth	0fde46b602	Merge branch 'master' into rule-devel	2021-10-05 17:33:48 +02:00
Florian Roth	482df0a0ad	rule: Apache Vuln CVE-2021-41773	2021-10-05 17:33:37 +02:00
frack113	651d453aeb	Merge pull request #2122 from frack113/move_file ... Move file to correct directory	2021-10-05 16:58:26 +02:00
frack113	ba3356cdb0	Merge pull request #2120 from MetallicHack/master ... azure_ad_user_added_to_admin_role.yml	2021-10-05 16:57:58 +02:00
Rachel Rice	4ae3ece314	Update AWS SAML and Lambda rules ... Use correct case for `AssumeRoleWithSAML` event name. `UpdateFunctionConfiguration`, `UpdateFunctionConfiguration20150331` and `UpdateFunctionConfiguration20150331v2` are all valid event names for updating Lambda function configuration, added selection condition for any of these.	2021-10-05 14:08:40 +01:00
MetallicHack	030fc2a03e	change title and tags in order to match sigmarules	2021-10-05 09:40:25 +02:00
MetallicHack	a4100e76b9	change title and tags in order to match sigmarules	2021-10-05 09:39:03 +02:00
frack113	ad9362e043	Update passed_role_to_glue_development_endpoint.yml	2021-10-05 07:41:41 +02:00
frack113	3b01425936	Update aws_pass_role_to_lambda_function.yml	2021-10-05 07:40:42 +02:00
frack113	80d09483d9	move to builtin	2021-10-05 07:33:50 +02:00
frack113	4f86a245f8	Order file i correct directory	2021-10-05 07:30:43 +02:00
frack113	201708c097	Merge pull request #2103 from webboy2015/patch-1 ... Create win_lolbas_execution_of_nltest.exe.yaml	2021-10-05 07:24:05 +02:00
frack113	654b5b4bff	Update win_lolbas_execution_of_nltest.yml	2021-10-04 22:08:47 +02:00
frack113	fd329f4f9b	Remove unneeded EventID	2021-10-04 21:25:57 +02:00
MetallicHack	fe439e1998	Rename azure_ad_user_added_to_sensitive_role.yml to azure_ad_user_added_to_admin_role.yml	2021-10-04 15:26:58 +02:00
MetallicHack	96f05f7f19	Update azure_ad_user_added_to_sensitive_role.yml	2021-10-04 15:25:55 +02:00
Austin Songer	d694d6faa8	Create passed_role_to_glue_development_endpoint.yml	2021-10-03 23:03:39 -05:00
Austin Songer	60eccf711d	Rename pass_role_to_lambda_function.yml to aws_pass_role_to_lambda_function.yml	2021-10-03 22:54:19 -05:00
Austin Songer	92b1ce4cf4	Create pass_role_to_lambda_function.yml	2021-10-03 22:54:01 -05:00
frack113	dc030e0128	Merge pull request #2114 from austinsonger/process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml ... process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-10-03 08:24:52 +02:00
Austin Songer	81d1bb0e2b	Update process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-10-02 13:32:20 -05:00
frack113	e666b7e1db	Merge pull request #2116 from zakibro/master ... New Rule - Linux - Auditd - Clipboard Collection of Image Data with X…	2021-10-02 11:06:24 +02:00
zakibro	c2a26923c6	Update lnx_auditd_clipboard_image_collection.yml	2021-10-02 09:59:37 +02:00
frack113	f652745924	Update and rename win_lolbas_execution_of_nltest.exe to win_lolbas_execution_of_nltest.yml	2021-10-02 07:53:19 +02:00
frack113	e6b32b90af	Update win_lolbas_execution_of_nltest.exe	2021-10-02 07:25:11 +02:00
frack113	d819d726eb	Merge pull request #2112 from austinsonger/macos_suspicious_macos_firmware_activity.yml ... macos_suspicious_macos_firmware_activity.yml	2021-10-02 07:09:11 +02:00
webboy2015	87df79302d	Update win_lolbas_execution_of_nltest.exe ... Changed condition as follows: detection: selection: EventID: 4689 ProcessName|endswith: nltest.exe Status: "0x0" condition: selection Included field - SubjectDomainName	2021-10-01 12:55:37 -07:00
zakibro	d40b42fc2c	Update lnx_auditd_clipboard_image_collection.yml ... fixing a typo	2021-10-01 18:54:12 +02:00
Pawel Mazur	e67770d7ea	New Rule - Linux - Auditd - Clipboard Collection of Image Data with Xclip Tool	2021-10-01 18:43:03 +02:00
frack113	19a834e317	Merge pull request #2111 from TareqAlKhatib/master ... Corrected Technique	2021-10-01 15:17:01 +02:00
Tareq Alkhatib	0d22601112	Added Compromise Infrastructure: Web Services technique	2021-10-01 08:40:59 -04:00
Austin Songer	04acba9c77	Create process_creation_lolbas_data_exfiltration_by_using_datasvcutil.yml	2021-09-30 19:58:21 -05:00
Austin Songer	d55ffe721e	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:19:18 -05:00
Austin Songer	e274df1b13	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:18:38 -05:00
Austin Songer	b14d9e3826	Update process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:16:02 -05:00
Austin Songer	7f0ad710fd	Delete process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:15:40 -05:00
Austin Songer	18d65387b5	Create process_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:15:03 -05:00
Austin Songer	3d7f96ddd7	Create process_creationprocess_creation_lolbins_suspicious_driver_installed_by_pnputil.yml	2021-09-30 19:14:34 -05:00
Austin Songer	00513ff2c5	Create macos_suspicious_macos_firmware_activity.yml	2021-09-30 18:47:15 -05:00
Tareq Alkhatib	b0b95ce32b	Corrected Technique	2021-09-30 16:34:14 -04:00
frack113	e900945761	Update win_trust_discovery.yml	2021-09-30 19:26:14 +02:00
zaicurity	76224b0fb2	Added alternative nltest command parameter ... Same as recent change to "Recon Activity with NLTEST" (see commit a2418e4d2c) Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/	2021-09-30 18:12:19 +02:00
frack113	1c842037cf	Merge pull request #2109 from Karneades/patch-1 ... Add fp note to powershell winapi rule	2021-09-30 17:45:03 +02:00
frack113	6eea77ae38	Merge pull request #2105 from frack113/powershell ... powershell_susp_zip_compress add 4104	2021-09-30 17:40:13 +02:00
Andreas Hunkeler	82ba266a53	Add fp note to powershell winapi rule	2021-09-30 16:38:39 +02:00
frack113	29d66a965c	add 4104	2021-09-30 10:03:11 +02:00
webboy2015	056067086c	Create win_lolbas_execution_of_nltest.exe.yaml ... The attacker might use LOLBAS nltest.exe for the discovery of domain controllers, domain trusts, parent domain, and the current user permissions. This event can be detected in the Windows Security Log by looking for event id 4689 indicating that nltest.exe was executed and has exited with the execution result of "0x0".	2021-09-29 14:33:36 -07:00
frack113	84ec2f582a	Merge pull request #2100 from kidrek/sysmon_delete_prefetch ... Add new rule - sysmon_delete_prefetch - AntiForensic	2021-09-29 17:53:33 +02:00
frack113	ed1a1caa2e	Merge pull request #2098 from frack113/fix_tags ... fix tags in win_susp_mpcmdrun_download.yml	2021-09-29 17:06:18 +02:00
neonprimetime security (Justin C Miller)	2ae2c35a7f	mispelled 'mshta.exe' in selection_base ... it said 'mhsta.exe' and it should say 'mshta.exe'	2021-09-29 07:47:12 -05:00
frack113	17ad95cd12	Update sysmon_delete_prefetch.yml	2021-09-29 10:58:00 +02:00
kidrek	da4a8a0ffd	Fix title field error	2021-09-29 09:49:58 +02:00
kidrek	d3fc6b118d	Add new rule - sysmon_delete_prefetch - AntiForensic	2021-09-29 09:42:17 +02:00
frack113	4a66ea04bd	fix tags	2021-09-29 08:26:05 +02:00
zaicurity	a2418e4d2c	Added alternative command parameter ... Added the command parameter '/trusted_domains' for nltest which can be used as an alternative to '/domain_trusts' to bypass detection. Tested on Windows 10.0.19042 Reference: https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/	2021-09-28 17:39:21 +02:00
frack113	c27084dd0c	Merge pull request #2094 from frack113/backend_sysmon ... Fix logsource not a string	2021-09-28 16:22:58 +02:00
frack113	c3222945ef	Merge pull request #2093 from austinsonger/win_sysmon_driver_unload.yml ... win_sysmon_driver_unload.yml	2021-09-28 16:22:43 +02:00
frack113	f8ec71c00c	Merge pull request #2072 from austinsonger/aws_attached_malicious_lambda_layer.yml ... aws_attached_malicious_lambda_layer.yml	2021-09-28 13:08:01 +02:00
Austin Songer	0d07a78a2d	Update aws_attached_malicious_lambda_layer.yml	2021-09-27 23:41:19 -05:00
Austin Songer	3e7b3073cf	Update win_sysmon_driver_unload.yml	2021-09-27 23:30:30 -05:00
Florian Roth	1da59d9175	Merge pull request #2092 from SigmaHQ/rule-devel ... docs: changed description	2021-09-27 23:13:09 +02:00
Florian Roth	4161cd909f	docs: changed description	2021-09-27 23:12:18 +02:00
Florian Roth	10b70edff0	Merge pull request #2091 from SigmaHQ/rule-devel ... NOBELIUM FoggyWeb backdoor loading	2021-09-27 23:09:18 +02:00
Florian Roth	b227f8459d	fix: typo in filename	2021-09-27 22:37:20 +02:00
Florian Roth	ada966c5be	Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel	2021-09-27 22:34:30 +02:00
Florian Roth	cee44e6688	renamed files: lowercase	2021-09-27 22:33:30 +02:00
Florian Roth	97bb6a0257	rule: NOBELIUM FoggyWeb	2021-09-27 22:28:25 +02:00
frack113	bcf40fa4e4	Fix logsource not a string	2021-09-27 18:59:05 +02:00
Florian Roth	5ef1c913cf	fix: wrong condition ... https://github.com/SigmaHQ/sigma/issues/2089	2021-09-27 18:33:57 +02:00
frack113	6bce0f967a	Merge pull request #2079 from zakibro/master ... New Rule - Linux - Auditd - Clipboard Collection	2021-09-27 08:34:30 +02:00
zakibro	6a2785492d	Update lnx_auditd_clipboard_collection.yml ... Changes after suggestion.	2021-09-27 07:59:43 +02:00
Florian Roth	f196e3174d	refactor: moved last global rule to unsupported	2021-09-26 10:54:11 +02:00
MetallicHack	d888ce67bc	Create azure_ad_user_added_to_sensitive_role.yml	2021-09-25 21:57:10 +02:00
Florian Roth	93bff7f49d	docs: new ID	2021-09-25 11:37:39 +02:00
Florian Roth	31ef53738d	refactor: removed old Joomla rules, made generic path traversal	2021-09-25 11:37:02 +02:00
frack113	7dc574bc01	Merge pull request #2078 from kidrek/win_process_dump_rdrleakdiag ... add new rule win_process_dump_rdrleakdiag	2021-09-25 07:55:52 +02:00
frack113	8fe222a92c	Merge pull request #2077 from frack113/remove_re ... Convert re to endswith	2021-09-25 07:55:22 +02:00
Sittikorn S	7c8df0eb55	Update web_cve_2021_22005_vmware_file_upload.yml	2021-09-25 08:05:00 +07:00
kidrek	267da51745	The issues have been fixed	2021-09-24 22:18:00 +02:00
Pawel Mazur	4bbe4962b0	New Rule - Linux - Auditd - Clipboard Collection	2021-09-24 18:40:10 +02:00
kidrek	ecd4719a20	add new rule win_process_dump_rdrleakdiag	2021-09-24 18:22:06 +02:00
Sittikorn S	dea89ad324	Update and rename web_cve_2021_22005_vmware_file_upload to web_cve_2021_22005_vmware_file_upload.yml	2021-09-24 21:35:04 +07:00
Sittikorn S	f903640b73	Update web_cve_2021_22005_vmware_file_upload	2021-09-24 21:29:43 +07:00
Sittikorn S	16452ca80e	Create web_cve_2021_22005_vmware_file_upload	2021-09-24 21:21:09 +07:00
frack113	ef75695647	convert re to endswith	2021-09-24 15:39:56 +02:00
Austin Songer	8203a2d5f2	Update aws_attached_malicious_lambda_layer.yml	2021-09-23 08:40:26 -05:00
Austin Songer	fdc45505e0	Create aws_attached_malicious_lambda_layer.yml	2021-09-23 08:38:02 -05:00
Austin Songer	b9123422b8	Delete aws_attached_malicious_lambda_layer.yml	2021-09-23 08:37:34 -05:00
Austin Songer	9e9fd4c23d	Create aws_attached_malicious_lambda_layer.yml	2021-09-23 08:37:20 -05:00
frack113	aa96f21d0f	fix filename	2021-09-23 14:52:56 +02:00
frack113	934e391159	fix filename	2021-09-23 14:51:59 +02:00
frack113	44feb3ddf6	fix filename	2021-09-23 14:46:13 +02:00
frack113	89776b8c14	fix filename	2021-09-23 14:44:51 +02:00
frack113	8b5f62bdb7	fix filename	2021-09-23 14:41:16 +02:00
frack113	c029e62c64	fix filename	2021-09-23 14:37:34 +02:00
Florian Roth	bb2e6acd40	Merge pull request #1926 from pbssubhash/master ... Adding CVE's Exploitation attempt detection: Year - 2010	2021-09-23 14:08:15 +02:00
frack113	e9260679d4	Merge pull request #2064 from SigmaHQ/rule-devel ... Changed tags in lnx_clear_syslog.yml	2021-09-23 13:55:18 +02:00
frack113	c59b0eb543	Merge pull request #2063 from frack113/last_global ... Split Last Global Rules	2021-09-23 13:54:57 +02:00
Florian Roth	3107ede1c4	Merge branch 'pr/2065'	2021-09-23 09:18:15 +02:00
frack113	688903192d	Merge branch 'fix_filename_test' of https://github.com/frack113/sigma into fix_filename_test	2021-09-23 08:01:19 +02:00
frack113	605fa2dd80	update filename	2021-09-23 07:58:50 +02:00
frack113	cce90a669a	Merge pull request #2067 from austinsonger/aws_suspicious_saml_activity.yml ... aws_suspicious_saml_activity.yml	2021-09-23 06:34:18 +02:00
frack113	525a310c86	Merge pull request #2068 from austinsonger/typos ... Typos	2021-09-23 06:32:49 +02:00
Austin Songer	53f426342c	Update win_file_winword_cve_2021_40444.yml	2021-09-22 22:26:05 -05:00
Austin Songer	ab613af365	Update sysmon_atlassian_confluence_cve_2021_26084_exploit.yml	2021-09-22 22:24:24 -05:00
Austin Songer	6942b9c5e8	Update aws_suspicious_saml_activity.yml	2021-09-22 20:16:50 -05:00
Austin Songer	d1337bbfbf	Create aws_suspicious_saml_activity.yml	2021-09-22 20:15:36 -05:00
Austin Songer	097c6c3537	Update okta_user_account_locked_out.yml	2021-09-22 19:54:46 -05:00
Austin Songer	05d454d794	Update okta_unauthorized_access_to_app.yml	2021-09-22 19:54:39 -05:00
Austin Songer	26b99a44c0	Update okta_security_threat_detected.yml	2021-09-22 19:54:32 -05:00
Austin Songer	f55b9ef024	Update okta_policy_rule_modified_or_deleted.yml	2021-09-22 19:54:23 -05:00
Austin Songer	100eb06e7a	Update okta_policy_modified_or_deleted.yml	2021-09-22 19:54:15 -05:00
Austin Songer	9d910d823a	Update okta_network_zone_deactivated_or_deleted.yml	2021-09-22 19:54:09 -05:00
Austin Songer	ea73c692d7	Update okta_mfa_reset_or_deactivated.yml	2021-09-22 19:54:02 -05:00
Austin Songer	f673eb413e	Update okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-22 19:53:56 -05:00
Austin Songer	1effd8b187	Update okta_application_modified_or_deleted.yml	2021-09-22 19:53:49 -05:00
Austin Songer	ccd9f8d6dc	Update okta_api_token_revoked.yml	2021-09-22 19:53:43 -05:00
Austin Songer	6401f9b4d9	Update okta_api_token_created.yml	2021-09-22 19:53:36 -05:00
Austin Songer	ecb18ec149	Update okta_admin_role_assigned_to_user_or_group.yml	2021-09-22 19:53:28 -05:00
Austin Songer	74452347fb	Update okta_user_account_locked_out.yml	2021-09-22 19:52:43 -05:00
Austin Songer	275ebf7884	Update okta_unauthorized_access_to_app.yml	2021-09-22 19:52:36 -05:00
Austin Songer	2ab5ba0a0c	Update okta_security_threat_detected.yml	2021-09-22 19:52:29 -05:00
Austin Songer	1aec430291	Update okta_policy_rule_modified_or_deleted.yml	2021-09-22 19:52:23 -05:00
Austin Songer	cead26637b	Update okta_policy_modified_or_deleted.yml	2021-09-22 19:52:17 -05:00
Austin Songer	e1eb8c6222	Update okta_network_zone_deactivated_or_deleted.yml	2021-09-22 19:52:10 -05:00
Austin Songer	38e09f061d	Update okta_mfa_reset_or_deactivated.yml	2021-09-22 19:52:04 -05:00
Austin Songer	12f76cdf6b	Update okta_application_sign-on_policy_modified_or_deleted.yml	2021-09-22 19:51:58 -05:00
Austin Songer	11732970fc	Update okta_application_modified_or_deleted.yml	2021-09-22 19:51:51 -05:00
Austin Songer	8dfae4c785	Update okta_api_token_revoked.yml	2021-09-22 19:51:44 -05:00
Austin Songer	1a64dc03a1	Update okta_api_token_created.yml	2021-09-22 19:51:31 -05:00
Austin Songer	f186235d8f	Update okta_admin_role_assigned_to_user_or_group.yml	2021-09-22 19:51:25 -05:00
frack113	3ac0d93f5b	Merge pull request #2062 from Pooch11/win-apt-greenbug-fix ... win-apt-greenbug-fix small change to B64encoded value of '/server='	2021-09-22 20:05:37 +02:00
frack113	6e6d57b019	fix filename	2021-09-22 18:45:08 +02:00
unknown	9924cc3946	win-apt-greenbug-fix amend b64 value of /server= as seen in IOC	2021-09-22 10:33:04 -04:00
frack113	ab5f5f95bc	fix filename	2021-09-22 16:27:05 +02:00
frack113	3c906b52a0	fix filename	2021-09-22 16:21:07 +02:00
Florian Roth	b7b0bd4275	Update lnx_clear_syslog.yml	2021-09-22 09:46:05 +02:00
frack113	7b995f2d99	Merge pull request #2057 from secDre4mer/master ... Add two rules	2021-09-22 09:15:32 +02:00
frack113	ac639bb9ec	Merge pull request #2060 from zakibro/master ... New Rule - Linux - Auditd - Screencapture with Import Tool	2021-09-22 08:41:50 +02:00
frack113	045e87058b	add definition	2021-09-22 08:40:08 +02:00
unknown	3ace73f9fd	win-apt-greenbug-fix - change modified date as well	2021-09-21 16:59:32 -04:00
unknown	993bf46550	win-apt-greenbug-fix small change to B64encoded value of '/server=' in detection criteria	2021-09-21 16:56:01 -04:00
frack113	db9e6124e3	fix too many blank lines	2021-09-21 20:24:02 +02:00
frack113	6e08ba55c4	fix error	2021-09-21 20:16:26 +02:00
frack113	7a52da3b40	split global cleartext_protocols.yml	2021-09-21 19:56:47 +02:00
frack113	e377e4e96f	split global net_high_dns_bytes_out.yml	2021-09-21 19:53:25 +02:00
frack113	6777ca7a82	split global net_high_dns_requests_rate.yml	2021-09-21 19:51:11 +02:00
frack113	00f3055035	split global net_susp_network_scan.yml	2021-09-21 19:47:28 +02:00
frack113	b5e91d7185	fix field name and date	2021-09-21 19:41:46 +02:00
frack113	d37685d7cc	split global win_cobaltstrike_service_installs.yml	2021-09-21 19:36:34 +02:00
frack113	06a07605fd	split global win_mal_creddumper.yml	2021-09-21 19:31:52 +02:00
Pawel Mazur	e20e5033e7	New Rule - Linux - Auditd - Screencapture with Import Tool	2021-09-21 18:55:48 +02:00
Florian Roth	d884f774f9	Update powershell_memorydump_getstoragediagnosticinfo.yml	2021-09-21 18:01:46 +02:00
phantinuss	46febf48b0	fix: remove rule, too many FPs and no better matching criteria	2021-09-21 16:52:17 +02:00
frack113	dde3b17c20	split global win_mal_service_installs.yml	2021-09-21 16:17:59 +02:00
frack113	518d294ee9	fix id error	2021-09-21 16:06:27 +02:00
frack113	b9d14ef55a	split global win_metasploit_or_impacket_smb_psexec_service_install.yml	2021-09-21 16:02:47 +02:00
Max Altgelt	bf9bc03258	chore: properly name and describe rules	2021-09-21 15:59:01 +02:00
frack113	9dbc71ca2f	split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml	2021-09-21 15:50:06 +02:00
frack113	0dd549ba67	fix selection name	2021-09-21 15:25:03 +02:00
frack113	7c8d1ab037	split global win_moriya_rootkit.yml	2021-09-21 15:18:25 +02:00
frack113	a4ad7e5358	split global win_net_ntlm_downgrade.yml	2021-09-21 15:10:08 +02:00
Max Altgelt	8c3faa390c	feat: Add rule for live memory dumping	2021-09-21 15:09:12 +02:00
frack113	a5c8fba7a5	fix error	2021-09-21 15:01:51 +02:00
Max Altgelt	346ff26809	feat: Add rule for syslog removal	2021-09-21 14:56:12 +02:00
frack113	20a785bad3	split global win_powershell_script_installed_as_service.yml	2021-09-21 13:55:04 +02:00
frack113	8c13bd23b9	split global win_powershell_web_request	2021-09-21 13:44:19 +02:00
frack113	ba3c7a020a	split global win_root_certificate_installed.yml	2021-09-21 13:34:32 +02:00
frack113	6368a88ad3	split global win_software_discovery.yml	2021-09-21 13:28:47 +02:00
frack113	332bed7906	split global win_susp_eventlog_cleared.yml	2021-09-21 13:22:40 +02:00
frack113	99f24a95a6	split global win_susp_failed_logons_single_source.yml	2021-09-21 13:19:00 +02:00
frack113	06ed7c41af	split clobal win_tap_driver_installation.yml	2021-09-21 13:15:21 +02:00
frack113	5951ad1d9a	Merge pull request #2056 from frack113/some_global ... Split global rules	2021-09-21 12:42:59 +02:00
frack113	d5e1e97ed3	Merge pull request #2055 from frack113/split_invoke ... split global win_invoke_obfuscation_*	2021-09-21 12:42:41 +02:00
frack113	0884a70e28	fix tests.py error	2021-09-21 10:52:37 +02:00